From 3920af574e2d37fec63bfd59716bb7a8bbd63545 Mon Sep 17 00:00:00 2001
From: cmyui <cmyuiosu@gmail.com>
Date: Thu, 8 Aug 2024 08:48:11 +0200
Subject: [PATCH] fixes & make apis harder to fuck up

---
 app/repositories/users.py |  6 +++---
 app/security.py           | 26 ++++++++++++++++++++------
 app/usecases/users.py     |  3 ++-
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/app/repositories/users.py b/app/repositories/users.py
index 0d354d3..74f7671 100644
--- a/app/repositories/users.py
+++ b/app/repositories/users.py
@@ -133,14 +133,14 @@ async def update_username(user_id: int, new_username: str) -> None:
     await app.state.database.execute(query, params)
 
 
-async def update_password(user_id: int, new_password: str) -> None:
+async def update_password(user_id: int, *, new_hashed_password: str) -> None:
     query = """\
         UPDATE users
-        SET password_md5 = :new_password
+        SET password_md5 = :new_hashed_password
         WHERE id = :user_id
     """
     params = {
-        "new_password": new_password,
+        "new_hashed_password": new_hashed_password,
         "user_id": user_id,
     }
 
diff --git a/app/security.py b/app/security.py
index 3b06a9b..1268232 100644
--- a/app/security.py
+++ b/app/security.py
@@ -6,17 +6,31 @@
 
 def hash_osu_password(password: str) -> str:
     return bcrypt.hashpw(
-        hashlib.md5(password.encode()).hexdigest().encode(),
-        bcrypt.gensalt(),
+        password=hashlib.md5(
+            password.encode(),
+            usedforsecurity=False,
+        )
+        .hexdigest()
+        .encode(),
+        salt=bcrypt.gensalt(),
     ).decode()
 
 
-def check_osu_password(*, untrusted_password: str, hashed_password: str) -> bool:
+def check_osu_password(
+    *,
+    untrusted_password: str,
+    hashed_password: str,
+) -> bool:
     return bcrypt.checkpw(
-        hashlib.md5(untrusted_password.encode()).hexdigest().encode(),
-        hashed_password.encode(),
+        password=hashlib.md5(
+            untrusted_password.encode(),
+            usedforsecurity=False,
+        )
+        .hexdigest()
+        .encode(),
+        hashed_password=hashed_password.encode(),
     )
 
 
 def generate_access_token() -> str:
-    return secrets.token_urlsafe(32)
+    return secrets.token_urlsafe(nbytes=32)
diff --git a/app/usecases/users.py b/app/usecases/users.py
index d7c5eee..a55336c 100644
--- a/app/usecases/users.py
+++ b/app/usecases/users.py
@@ -159,7 +159,8 @@ async def update_password(
             user_feedback="Incorrect password.",
         )
 
-    await users.update_password(user_id, new_password)
+    hashed_password = security.hash_osu_password(new_password)
+    await users.update_password(user_id, new_hashed_password=hashed_password)
     return None